Setup 2FA with YubiKey and LUKS

Hello,

i would like to setup two-factor-authentication with yubikey-full-disk-encryption.
At the moment I’m using the disk-encryption which one can choose during the installation process of Manjaro in combination with a separate encrypted home partition on a second hard drive.

This is my partition structure:

NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                                   8:0    0   1,8T  0 disk 
└─sda1                                                8:1    0   1,8T  0 part 
└─sda1_crypt                                        254:2    0   1,8T  0 crypt /home
nvme0n1                                             259:0    0 476,9G  0 disk           
├─nvme0n1p1                                         259:1    0   300M  0 part  /boot/efi
├─nvme0n1p2                                         259:2    0 467,8G  0 part 
│ └─luks-uid1                                       254:0    0 467,8G  0 crypt /
└─nvme0n1p3                                         259:3    0   8,8G  0 part 
  └─luks-uid2                                       254:1    0   8,8G  0 crypt [SWAP]

Extract of /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=uid1:luks-uid1 root=/dev/mapper/luks-uid1 resume=/dev/mapper/luks-uid1 apparmor=1 security=apparmor udev.log_priority=3 acpi_backlight=vendor amd_iommu=on"
GRUB_ENABLE_CRYPTODISK=y

What I tried so far:

  1. Add new LUKS-key with ykfde-enroll to the root and swap partition

  2. Change /etc/ykfde.conf

     YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
     YKFDE_CHALLENGE_SLOT="2" 
    
  3. Change /etc/mkinitcpio.conf:

     HOOKS=(... ykfde encrypt ...)
     HOOKs
    

When I started the system after these changes I get the familiar grub prompt to enter my passphrase. After that I get a message from ykfde that the partitions have already been decrypted.

I hope someone knows how I could set it up easily.

Kind regards